Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2617 Important: Red Hat JBoss Enterprise Application Platform 6.4.4 updates 16 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JBoss Enterprise Application Platform Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 5 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-5220 CVE-2015-5188 CVE-2015-5178 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2015-1904.html https://rhn.redhat.com/errata/RHSA-2015-1905.html https://rhn.redhat.com/errata/RHSA-2015-1906.html https://rhn.redhat.com/errata/RHSA-2015-1907.html Comment: This bulletin contains four (4) Red Hat security advisories. This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running JBoss Enterprise Application Platform check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Advisory ID: RHSA-2015:1904-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1904.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.4 and fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 5 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.3, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1256986 - RHEL5 RPMs: Upgrade jboss-security-negotiation to 2.3.8.redhat-1 1261575 - RHEL5 RPMs: Upgrade infinispan to 5.2.15.Final-redhat-1 1261580 - RHEL5 RPMs: Upgrade jboss-vfs2 to 3.2.10.Final-redhat-1 1261584 - RHEL5 RPMs: Upgrade jboss-aesh to 0.33.16.redhat-1 1261588 - RHEL5 RPMs: Upgrade jbossweb to 7.5.11.Final-redhat-1 1261599 - RHEL5 RPMs: Upgrade jboss-as-console to 2.5.10.Final-redhat-2 1261604 - RHEL5 RPMs: Upgrade jboss-hal to 2.5.10.Final-redhat-2 1261619 - RHEL5 RPMs: Upgrade jboss-weld-1.1-api to 1.1.0.Final-redhat-7 1261623 - RHEL5 RPMs: Upgrade weld-cdi-1.0-api to 1.0.0.SP4-redhat-6 1261626 - RHEL5 RPMs: Upgrade weld-core to 1.1.31.Final-redhat-1 1261991 - RHEL5 RPMs: Upgrade apache-cxf to 2.7.17.redhat-1 1262022 - RHEL5 RPMs: Upgrade jbossws-cxf to 4.3.5.Final-redhat-3 1263380 - RHEL5 RPMs: Upgrade httpserver to 1.0.5.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 5: Source: apache-cxf-2.7.17-1.redhat_1.1.ep6.el5.src.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el5.src.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el5.src.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el5.src.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el5.src.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el5.src.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el5.src.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el5.src.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el5.src.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el5.src.rpm noarch: apache-cxf-2.7.17-1.redhat_1.1.ep6.el5.noarch.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-cachestore-jdbc-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-cachestore-remote-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-client-hotrod-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-core-5.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el5.noarch.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el5.noarch.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el5.noarch.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el5.noarch.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWH9k6XlSAg2UNWIIRAmWpAJwNwBCt+e8n26hwoCOB2H3veOFSxgCdH7jI yZeqYAwfbn7mH4bbWe81q8k= =8Gbn - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Advisory ID: RHSA-2015:1905-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1905.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.4 and fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.3, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1256985 - RHEL6 RPMs: Upgrade jboss-security-negotiation to 2.3.8.redhat-1 1261574 - RHEL6 RPMs: Upgrade infinispan to 5.2.15.Final-redhat-1 1261579 - RHEL6 RPMs: Upgrade jboss-vfs2 to 3.2.10.Final-redhat-1 1261583 - RHEL6 RPMs: Upgrade jboss-aesh to 0.33.16.redhat-1 1261587 - RHEL6 RPMs: Upgrade jbossweb to 7.5.11.Final-redhat-1 1261598 - RHEL6 RPMs: Upgrade jboss-as-console to 2.5.10.Final-redhat-2 1261603 - RHEL6 RPMs: Upgrade jboss-hal to 2.5.10.Final-redhat-2 1261618 - RHEL6 RPMs: Upgrade jboss-weld-1.1-api to 1.1.0.Final-redhat-7 1261622 - RHEL6 RPMs: Upgrade weld-cdi-1.0-api to 1.0.0.SP4-redhat-6 1261625 - RHEL6 RPMs: Upgrade weld-core to 1.1.31.Final-redhat-1 1261990 - RHEL6 RPMs: Upgrade apache-cxf to 2.7.17.redhat-1 1262021 - RHEL6 RPMs: Upgrade jbossws-cxf to 4.3.5.Final-redhat-3 1263379 - RHEL6 RPMs: Upgrade httpserver to 1.0.5.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: apache-cxf-2.7.17-1.redhat_1.1.ep6.el6.src.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el6.src.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el6.src.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el6.src.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el6.src.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el6.src.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el6.src.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el6.src.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el6.src.rpm noarch: apache-cxf-2.7.17-1.redhat_1.1.ep6.el6.noarch.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-cachestore-jdbc-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-cachestore-remote-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-client-hotrod-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-core-5.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el6.noarch.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el6.noarch.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el6.noarch.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el6.noarch.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWH9lcXlSAg2UNWIIRAhoJAKCZuJvaHSSP52Y47E9YobyarAGbqQCeIZGJ Ha1Pv8WMSr/Bij7u05M33Uo= =5+lL - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update Advisory ID: RHSA-2015:1906-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1906.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.4 and fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.3, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1256987 - RHEL7 RPMs: Upgrade jboss-security-negotiation to 2.3.8.redhat-1 1261576 - RHEL7 RPMs: Upgrade infinispan to 5.2.15.Final-redhat-1 1261581 - RHEL7 RPMs: Upgrade jboss-vfs2 to 3.2.10.Final-redhat-1 1261585 - RHEL7 RPMs: Upgrade jboss-aesh to 0.33.16.redhat-1 1261589 - RHEL7 RPMs: Upgrade jbossweb to 7.5.11.Final-redhat-1 1261600 - RHEL7 RPMs: Upgrade jboss-as-console to 2.5.10.Final-redhat-2 1261605 - RHEL7 RPMs: Upgrade jboss-hal to 2.5.10.Final-redhat-2 1261620 - RHEL7 RPMs: Upgrade jboss-weld-1.1-api to 1.1.0.Final-redhat-7 1261624 - RHEL7 RPMs: Upgrade weld-cdi-1.0-api to 1.0.0.SP4-redhat-6 1261627 - RHEL7 RPMs: Upgrade weld-core to 1.1.31.Final-redhat-1 1261992 - RHEL7 RPMs: Upgrade apache-cxf to 2.7.17.redhat-1 1262023 - RHEL7 RPMs: Upgrade jbossws-cxf to 4.3.5.Final-redhat-3 1263381 - RHEL7 RPMs: Upgrade httpserver to 1.0.5.Final-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server: Source: apache-cxf-2.7.17-1.redhat_1.1.ep6.el7.src.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el7.src.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el7.src.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el7.src.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el7.src.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el7.src.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el7.src.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el7.src.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el7.src.rpm noarch: apache-cxf-2.7.17-1.redhat_1.1.ep6.el7.noarch.rpm httpserver-1.0.5-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-cachestore-jdbc-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-cachestore-remote-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-client-hotrod-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-core-5.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-aesh-0.33.16-1.redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-console-2.5.10-4.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-network-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-security-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-server-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-version-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-web-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jboss-hal-2.5.10-2.Final_redhat_2.2.ep6.el7.noarch.rpm jboss-security-negotiation-2.3.8-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-vfs2-3.2.10-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-weld-1.1-api-1.1.0-2.Final_redhat_7.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-core-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-domain-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.4-4.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.4-3.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.4-2.Final_redhat_4.1.ep6.el7.noarch.rpm jbossweb-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossws-cxf-4.3.5-4.Final_redhat_3.1.ep6.el7.noarch.rpm weld-cdi-1.0-api-1.0.0-2.SP4_redhat_6.1.ep6.el7.noarch.rpm weld-core-1.1.31-1.Final_redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWH92mXlSAg2UNWIIRAjgvAJ0d2SjrMrbrHDw0Zn39mFK6cDzdaQCeLvcV Sj2GUBHExVXaosdDIAIBUiw= =G/J1 - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.4 jboss-ec2-eap update Advisory ID: RHSA-2015:1907-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1907.html Issue date: 2015-10-15 CVE Names: CVE-2015-5178 CVE-2015-5188 CVE-2015-5220 ===================================================================== 1. Summary: Updated jboss-ec2-eap packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat JBoss Enterprise Application Platform 6.4.4 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2015-5178) Note: Resolving this issue required a change in the way http requests are sent in the Console; this change may affect users. See the Release Notes linked to in the References section for details about this change. It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance. (CVE-2015-5188) The CVE-2015-5220 issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team, and the CVE-2015-5188 issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team. * The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.4. Documentation for these changes is available from the link in the References section. All jboss-ec2-eap users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, make sure to back up any modified configuration files, deployments, and all user data. After applying the update, restart the instance of Red Hat JBoss Enterprise Application Platform for the changes to take effect. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1250552 - CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking 1252885 - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: jboss-ec2-eap-7.5.4-1.Final_redhat_4.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.4-1.Final_redhat_4.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.4-1.Final_redhat_4.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5178 https://access.redhat.com/security/cve/CVE-2015-5188 https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWH92vXlSAg2UNWIIRAh2EAKC/I+sQmEZuvUwv5DV+ZEzSgcLN0QCeKDF6 W7fAOpCHQh3kMjUY3WKgYck= =Hm1/ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBViB5oX6ZAP0PgtI9AQK+kxAAg4nIrxQtmU4C8ddkb9nZE9PsKDi8xEWl vDCKJm4OCMh7wlBbN1KDvnpdSC4h1AjgXrInLC2cQvQpStV18Dn830hJRiw/fut8 aaWVysRT9SPEkUo/IdMsgWmAOZdC/mCBRfrmp8/3iMuyGjsCrFxUXBw5l7KgF7/Y xlayXlxhA4278fNN+58Uzg446kxwrcCg6+VtnPOHPgcz5qwAe0lpLdlCuIB3ti6P skRPeyTu22Q5dbGzM/2t9gBc+rPJYSHCIuYbOLnJhqGcz0AKqKN/VlCEnd62Z2Ik MXSLBoK772xueYJcdsRC9Cv4SEnS8VtSFe+lrk9Gvo0G5tx3gYMQrxLgp/WGdRaW E+8V3Vi4bxUtc64Y16dKim9EhWJffgznanSmBM2m7ekD0ippwDpDnS0WN2ujOjXD eawAA5QNzdixDv/O0uS3Bld7wRZqMdMI+NBFWglYXmnTfk4Q3ePQBELFjDg0bYbX Bi3aiDAlPMTWdvyZg27fPJfP6X/5bGusnWX1dKeUqr4nNdIgDsmxCxf5Ygs7UhYs t2oubj3FGi62qCIzQzFFXZQSrZvmqccDp0EEn6wKj49787qp42JPPzD/D8Ze194o TkeerVkDytlR7ndKP7HJ2YBaSMyvjQbA2NBIBK+owgVBgP+TzuLebZ7WVXhdryr1 1xZBdI1iaIY= =diTB -----END PGP SIGNATURE-----